Python yara.compile() Examples
The following are 30 code examples for showing how to use yara.compile(). These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example.
You may check out the related API usage on the sidebar.
You may also want to check out all available functions/classes of the module
yara
, or try the search function
.
Example 1
| Project: unipacker Author: unipacker File: shell.py License: GNU General Public License v2.0 | 7 votes |
|
def do_yara(self, args):
"""Run YARA rules against the sample
Usage: yara [<rules_path>]
If no rules file is specified, the default 'malwrsig.yar' is being used.
Those rules are then compiled and checked against the memory dump of the current emulator state (see 'dump' for further
details on this representation)"""
if not args:
if not self.rules:
try:
self.rules = yara.compile(filepath=f"{os.path.dirname(unipacker.__file__)}/malwrsig.yar")
print("Default rules file used: malwrsig.yar")
except:
print(f"{Fore.LIGHTRED_EX}Error: malwrsig.yar not found!{Fore.RESET}")
else:
self.rules = yara.compile(filepath=args)
self.sample.unpacker.dump(self.engine.uc, self.engine.apicall_handler, self.sample)
matches = self.rules.match("unpacked.exe")
print(", ".join(map(str, matches)))
Example 2
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def dotnet_resource_names(self):
"""
Read .NET Resources and return a list of resource names
:return: list
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
resource_list.append(resource['name'])
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return resource_list
Example 3
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def dotnet_resource_by_name(self, resource_name):
"""
Extract a .NET Resource by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if resource['name'] == resource_name:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example 4
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def elf_list_sections(self):
"""
Read a list of sections from an elf binary
:return: list of section names
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
section_names = []
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
section_names.append(section['name'].decode('utf-8'))
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return section_names
Example 5
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def elf_section_by_name(self, resource_name):
"""
Extract an elf section by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
if section['name'].decode('utf-8') == resource_name:
offset = section['offset']
length = section['size']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example 6
| Project: rekall Author: google File: yarascanner.py License: GNU General Public License v2.0 | 6 votes |
|
def __init__(self, *args, **kwargs):
"""Scan using yara signatures."""
super(YaraScanMixin, self).__init__(*args, **kwargs)
# Compile the yara rules in advance.
if self.plugin_args.yara_expression:
self.rules_source = self.plugin_args.yara_expression
self.rules = yara.compile(source=self.rules_source)
elif self.plugin_args.binary_string:
self.compile_rule(
'rule r1 {strings: $a = {%s} condition: $a}' %
self.plugin_args.binary_string)
elif self.plugin_args.string:
self.compile_rule(
'rule r1 {strings: $a = "%s" condition: $a}' %
self.plugin_args.string)
elif self.plugin_args.yara_file:
self.compile_rule(open(self.plugin_args.yara_file).read())
elif not self.ignore_required:
raise plugin.PluginError("You must specify a yara rule file or "
"string to match.")
Example 7
| Project: aumfor Author: virtualrealitysystems File: linux_truecrypt.py License: GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example 8
| Project: aumfor Author: virtualrealitysystems File: poisonivy.py License: GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example 9
| Project: ACE Author: IntegralDefense File: pdf-parser.py License: Apache License 2.0 | 6 votes |
|
def YARACompile(ruledata):
if ruledata.startswith('#'):
if ruledata.startswith('#h#'):
rule = binascii.a2b_hex(ruledata[3:])
elif ruledata.startswith('#b#'):
rule = binascii.a2b_base64(ruledata[3:])
elif ruledata.startswith('#s#'):
rule = 'rule string {strings: $a = "%s" ascii wide nocase condition: $a}' % ruledata[3:]
elif ruledata.startswith('#q#'):
rule = ruledata[3:].replace("'", '"')
else:
rule = ruledata[1:]
return yara.compile(source=rule)
else:
dFilepaths = {}
if os.path.isdir(ruledata):
for root, dirs, files in os.walk(ruledata):
for file in files:
filename = os.path.join(root, file)
dFilepaths[filename] = filename
else:
for filename in ProcessAt(ruledata):
dFilepaths[filename] = filename
return yara.compile(filepaths=dFilepaths)
Example 10
| Project: idawilli Author: williballenthin File: yara_fn.py License: Apache License 2.0 | 6 votes |
|
def test_yara_rule(rule):
'''
try to match the given rule against each segment in the current exectuable.
raise TestDidntRunError if its not possible to import the YARA library.
return True if there's at least one match, False otherwise.
'''
try:
import yara
except ImportError:
logger.warning("can't test rule: failed to import python-yara")
raise TestDidntRunError('python-yara not available')
r = yara.compile(source=rule)
for segment in get_segments():
matches = r.match(data=segment.buf)
if len(matches) > 0:
logger.info('generated rule matches section: {segment.name}')
return True
return False
Example 11
| Project: Python-Digital-Forensics-Cookbook Author: PacktPublishing File: yara_scanner.py License: MIT License | 6 votes |
|
def main(yara_rules, path_to_scan, output):
if os.path.isdir(yara_rules):
yrules = yara.compile(yara_rules)
else:
yrules = yara.compile(filepath=yara_rules)
if os.path.isdir(path_to_scan):
match_info = process_directory(yrules, path_to_scan)
else:
match_info = process_file(yrules, path_to_scan)
columns = ['rule_name', 'hit_value', 'hit_offset', 'file_name',
'rule_string', 'rule_tag']
if output is None:
write_stdout(columns, match_info)
else:
write_csv(output, columns, match_info)
Example 12
| Project: ida_haru Author: TakahiroHaruyama File: yara_fn.py License: Apache License 2.0 | 6 votes |
|
def test_yara_rule(rule):
'''
try to match the given rule against each segment in the current exectuable.
raise TestDidntRunError if its not possible to import the YARA library.
return True if there's at least one match, False otherwise.
'''
try:
import yara
except ImportError:
logger.warning("can't test rule: failed to import python-yara")
raise TestDidntRunError('python-yara not available')
r = yara.compile(source=rule)
for segment in get_segments():
if segment.buf is not None:
matches = r.match(data=segment.buf)
if len(matches) > 0:
logger.info('generated rule matches section: {:s}'.format(segment.name))
return True
return False
Example 13
| Project: CIRTKit Author: opensourcesec File: rat.py License: MIT License | 6 votes |
|
def auto(self):
if not HAVE_YARA:
self.log('error', "Missing dependency, install yara (see http://plusvic.github.io/yara/)")
return
if not __sessions__.is_set():
self.log('error', "No session opened")
return
rules = yara.compile(os.path.join(CIRTKIT_ROOT, 'data/yara/rats.yara'))
for match in rules.match(__sessions__.current.file.path):
if 'family' in match.meta:
self.log('info', "Automatically detected supported RAT {0}".format(match.rule))
self.get_config(match.meta['family'])
return
self.log('info', "No known RAT detected")
Example 14
| Project: SSMA Author: secrary File: check.py License: GNU General Public License v3.0 | 6 votes |
|
def is_malware(filename):
if not os.path.exists("rules_compiled/malware"):
os.mkdir("rules_compiled/malware")
for n in os.listdir("rules/malware/"):
if not os.path.isdir("./" + n):
try:
rule = yara.compile("rules/malware/" + n)
rule.save("rules_compiled/malware/" + n)
rule = yara.load("rules_compiled/malware/" + n)
m = rule.match(filename)
if m:
return m
except:
pass # internal fatal error or warning
else:
pass
# Added by Yang
Example 15
| Project: omnibus Author: InQuest File: yara.py License: MIT License | 6 votes |
|
def run(self):
results = {'matches': {}}
all_rules = list_dir(self.rules)
for r in all_rules:
rule = yara.compile(r)
matches = rule.match(data=open(self.artifact['path'], 'rb').read())
for m in matches:
if m.rule not in results['matches'].keys():
results['matches'][m.rule] = []
for tag in m.tags:
if tag not in results['matches'][m.rule]:
results['matches'][m.rule].append(tag)
self.artifact['data']['yara'] = results
Example 16
| Project: Cortex-Analyzers Author: TheHive-Project File: yara_analyzer.py License: GNU Affero General Public License v3.0 | 6 votes |
|
def __init__(self):
Analyzer.__init__(self)
self.rulepaths = self.get_param('config.rules', None, 'No paths for rules provided.')
if isinstance(self.rulepaths, str):
self.rulepaths = [self.rulepaths]
self.ruleset = []
for rulepath in self.rulepaths:
if os.path.isfile(rulepath):
if rulepath[len(rulepath)-3:] == 'yar':
self.ruleset.append(yara.compile(rulepath))
elif rulepath[len(rulepath)-3:] == 'yas':
self.ruleset.append(yara.load(rulepath))
elif os.path.isdir(rulepath):
if os.path.isfile(rulepath + '/index.yas'):
self.ruleset.append(yara.load(rulepath + '/index.yas'))
elif os.path.isfile(rulepath + '/index.yar'):
self.ruleset.append(yara.compile(rulepath + '/index.yar'))
Example 17
| Project: volatility Author: volatilityfoundation File: linux_truecrypt.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example 18
| Project: vortessence Author: vortessence File: linux_truecrypt.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example 19
| Project: vortessence Author: vortessence File: poisonivy.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example 20
| Project: binaryalert Author: airbnb File: compile_rules.py License: Apache License 2.0 | 6 votes |
|
def compile_rules(target_path: str) -> None:
"""Compile YARA rules into a single binary rules file.
Args:
target_path: Where to save the compiled rules file.
"""
# Each rule file must be keyed by an identifying "namespace"; in our case the relative path.
yara_filepaths = {relative_path: os.path.join(RULES_DIR, relative_path)
for relative_path in _find_yara_files()}
# Compile all available YARA rules. Note that external variables are defined but not set;
# these will be set at runtime by the lambda function during rule matching.
rules = yara.compile(
filepaths=yara_filepaths,
externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
rules.save(target_path)
Example 21
| Project: binaryalert Author: airbnb File: yara_mocks.py License: Apache License 2.0 | 6 votes |
|
def save_test_yara_rules(rules_save_file: str, empty_rules_file: bool = False):
"""Save compiled test YARA rules to the filesystem, which should already be mocked.
Args:
rules_save_file: Path to rules save file.
empty_rules_file: If true, writes an empty rules file.
"""
if empty_rules_file:
sources = {'empty.yar': ''}
else:
sources = {'evil_check.yar': EVIL_STRING_RULE, 'externals.yar': RULES_WITH_VARIABLES}
# Compile YARA rules and save them as an in-memory binary string.
rules = yara.compile(
sources=sources,
externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
rule_data = io.BytesIO()
rules.save(file=rule_data)
rule_data.seek(0)
# Save the files to the mock filesysytem.
with open(rules_save_file, 'wb') as file:
file.write(rule_data.read())
Example 22
| Project: DAMM Author: 504ensicsLabs File: linux_truecrypt.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example 23
| Project: PeekabooAV Author: scVENUS File: peekabooyar.py License: GNU General Public License v3.0 | 6 votes |
|
def evaluate(self, s):
rules = yara.compile(
source='''
rule peekabooyar
{
strings:
$peekabooyar1 = "X5O!P%@AP-/_(:)_/-X22x8cz2$PeekabooAV-STD-ANTIVIRUS-TEST-FILE!$H+H*"
condition:
$peekabooyar1
}'''
)
# FIXME: Only user of file_path. Remove?
with open(s.file_path, 'rb') as sample_file:
matches = rules.match(data=sample_file.read())
if matches != []:
return self.result(Result.bad,
"Die Datei beinhaltet Peekabooyar",
False)
return self.result(Result.unknown,
"Die Datei beinhaltet kein erkennbares Peekabooyar",
True)
Example 24
| Project: RATDecoders Author: kevthehermit File: test_yara.py License: MIT License | 5 votes |
|
def test_yara_pe():
yara.compile(source='import "pe" rule a { condition: false }')
Example 25
| Project: RATDecoders Author: kevthehermit File: test_yara.py License: MIT License | 5 votes |
|
def test_yara_dotnet():
yara.compile(source='import "dotnet" rule a { condition: false }')
Example 26
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def pe_resource_id(self, res_id):
"""
Read resource by its ID. Useful where normal pe file fails.
:return: list
"""
try:
rules = yara.compile(source='import "pe" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if 'id' in resource:
if resource['id'] == res_id:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
elif 'name_string' in resource:
# Remove null bytes for a better comparison
res_name = resource['name_string'].decode('UTF-8').replace('\x00', '')
# Check both unicode and plain str versions of name
if res_name == res_id or resource['name_string'] == res_id:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example 27
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def dotnet_user_strings(self):
"""
Parse a list of User Strings from a .NET Binary file
:return: list of strings
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
user_strings = []
def modules_callback(data):
for i, userstring in enumerate(data.get('user_strings', [])):
# Remove null bytes
userstring = userstring.replace(b'\x00', b'')
# Add string to list
try:
user_strings.append(userstring.decode('utf-8'))
except UnicodeDecodeError:
pass
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return user_strings
Example 28
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def ascii_strings(self, min_len=4):
"""
parse a list of ascii strings from a binary file
:return:
"""
string_list = []
chars = b" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
regexp = b'[%s]{%d,}' % (chars, min_len)
pattern = re.compile(regexp)
for s in pattern.finditer(self.file_data):
string_list.append(s.group())
return string_list
Example 29
| Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def unicode_strings(self, min_len=4):
string_list = []
chars = r" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
regexp = b'((?:[%s]\x00){%d,})' % (chars, min_len)
pattern = re.compile(regexp)
for s in pattern.finditer(self.file_data):
string_list.append(s.group())
Example 30
| Project: RATDecoders Author: kevthehermit File: netwire.py License: MIT License | 5 votes |
|
def yara_scan(self, raw_data, rule_name):
yara_data = []
yara_rules = yara.compile(source=rule_source)
matches = yara_rules.match(data=raw_data)
for match in matches:
if match.rule == 'opcodes':
for item in match.strings:
if item[1] == rule_name:
data = item[2]
yara_data.append(data)
return yara_data
